Skip to content

v0.1.0 — first public release

Choose a tag to compare

View all tags
@wlphi wlphi released this 31 May 09:30
v0.1.0
0f8d928

First public release of nixMatrix — a complete, self-hosted Matrix homeserver
stack as a single NixOS flake. Deploy a federated chat server with modern OIDC
login, web clients, optional bridges, video calls, and monitoring to a fresh VPS
with one nixos-anywhere run.

This is the NixOS sibling of
ess-docker-compose — same stack,
Docker Compose instead of NixOS.

What's included

  • Synapse homeserver with federation
  • Matrix Authentication Service (MAS) — modern OIDC/OAuth2 login (MSC3861)
  • Element Web, FluffyChat, and an admin panel
  • Caddy with automatic Let's Encrypt TLS, PostgreSQL 16, Redis
  • Prometheus + Grafana monitoring

All opt-in, off by default:

  • Messaging bridges — Telegram, WhatsApp, Signal, Discord (nixmatrix.bridges.*.enable)
  • hookshot — GitHub / GitLab / Jira / webhooks / RSS (nixmatrix.bridges.hookshot.enable)
  • Authelia SSO (nixmatrix.sso.enable)
  • TURN fallback for calls behind strict NAT (nixmatrix.turn.enable)
  • External reverse proxy mode + drop-in nginx/Apache configs (nixmatrix.externalProxy.enable)
  • Public self-signup (nixmatrix.openRegistration)

Getting started

git clone https://github.com/wlphi/nixmatrix && cd nixmatrix
./scripts/bootstrap.sh        # keys, secrets, your domain
nix run github:numtide/nixos-anywhere -- --flake .#matrix-server root@<SERVER_IP>

Set one value — your domain — and every service subdomain and user ID is derived
from it. Full guide in docs/DEPLOY.md.

Quality

  • An automated NixOS VM test boots the whole stack on every change and checks that
    the core services come up and stay up (zero restarts), the databases exist, and
    the critical paths work — login routed through MAS, OIDC discovery, well-known
    delegation, Element loading. hookshot is boot-tested end-to-end.
  • Static config checks (90) and the VM test run in CI.
  • Upgrade, rollback, and backup-restore are documented, with a restore-db.sh
    helper.

Status — please read

The stack is verified in CI but not yet proven across real-world deployments.
The VM test uses self-signed certificates and throwaway secrets, so it does not
exercise real Let's Encrypt issuance, federation with other servers, calls across
real networks, or the reverse-proxy path. Treat your first deploy as the real
test — and please open an issue with how it went. See
docs/DEPLOY.md §9 for the full list of caveats.

Not yet implemented: Slack and IRC chat bridges.

Assets 2
Loading